xworm | d80f9618ef8369e54986f2abf564e5eeccf961d3ddaca515622412b1e4648d4c

Resubmissions

20-04-2024 17:13

240420-vrrwwadh2z 10

12-03-2024 21:36

10-03-2024 04:41

10-03-2024 04:40

10-03-2024 04:38

09-03-2024 07:38

Analysis

max time kernel
145s
max time network
151s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20-04-2024 17:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Reaper/Reaper/Reaper.exe
Size

8.3MB
MD5

79d145e3962e71bf725d15b4c0261dac
SHA1

bc9d7a5a347fcefe3b3b81136e83af294bd489f4
SHA256

0ca306be254d1b3aff02ae559e5649e9f0bb10367f692e132d7da39e6860448d
SHA512

2fc3cd1b4542de7313ffea8fc16132df9c305c9ca847d4754e3a645c274933b4dd9682b4dd2585c62e5b8b2307e296fb64e32b758222123bb5c901a95ba0b6df
SSDEEP

196608:wfojS3EHCg1OgwII+XN6h5BOpEAyRHtt7fEiLrArrIx2j1:wojS3E1zg+XN05UpEAcHtt7MiorGg

Score

10^/10

xworm persistence rat trojan upx

Malware Config

Extracted

Family

xworm

l838.ddns.net:3232

Attributes

Install_directory
%AppData%
install_file
Runtime Broker.exe

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
C:\Windows\Runtime broker.exe	family_xworm
behavioral5/memory/2520-98-0x0000000000180000-0x000000000019A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops startup file 2 IoCs

Processes:

Runtime broker.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk	Runtime broker.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk	Runtime broker.exe

Executes dropped EXE 5 IoCs

Processes:

Reaper.exeWindows Defender Smartscreen.exeRuntime broker.exeWindows Defender Smartscreen.exe

pid process

3024 Reaper.exe
2572 Windows Defender Smartscreen.exe
2520 Runtime broker.exe
472 Windows Defender Smartscreen.exe
1192

pid	process
3024	Reaper.exe
2572	Windows Defender Smartscreen.exe
2520	Runtime broker.exe
472	Windows Defender Smartscreen.exe
1192

Loads dropped DLL 13 IoCs

Processes:

Reaper.exeWindows Defender Smartscreen.exeWindows Defender Smartscreen.exeReaper.exe

pid	process
1936	Reaper.exe
1936	Reaper.exe
2572	Windows Defender Smartscreen.exe
472	Windows Defender Smartscreen.exe
472	Windows Defender Smartscreen.exe
472	Windows Defender Smartscreen.exe
472	Windows Defender Smartscreen.exe
472	Windows Defender Smartscreen.exe
472	Windows Defender Smartscreen.exe
472	Windows Defender Smartscreen.exe
3024	Reaper.exe
3024	Reaper.exe
1192

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI25722\python311.dll	upx
behavioral5/memory/472-104-0x000007FEF3D90000-0x000007FEF4379000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Runtime broker.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Runtime Broker = "C:\\Users\\Admin\\AppData\\Roaming\\Runtime Broker.exe"	Runtime broker.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
Drops file in Windows directory 1 IoCs

Processes:

Reaper.exe

description ioc process

File created C:\Windows\Runtime broker.exe Reaper.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

772 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

Runtime broker.exe

pid process

2520 Runtime broker.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

2544 powershell.exe
1696 powershell.exe
3064 powershell.exe
2312 powershell.exe
356 powershell.exe

flow	ioc
4	ip-api.com

description	ioc	process
File created	C:\Windows\Runtime broker.exe	Reaper.exe

pid	process
772	schtasks.exe

pid	process
2520	Runtime broker.exe

pid	process
2544	powershell.exe
1696	powershell.exe
3064	powershell.exe
2312	powershell.exe
356	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exeRuntime broker.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2544	powershell.exe
Token: SeDebugPrivilege	2520	Runtime broker.exe
Token: SeDebugPrivilege	1696	powershell.exe
Token: SeDebugPrivilege	3064	powershell.exe
Token: SeDebugPrivilege	2312	powershell.exe
Token: SeDebugPrivilege	356	powershell.exe
Token: SeDebugPrivilege	2520	Runtime broker.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

Reaper.exeWindows Defender Smartscreen.exeRuntime broker.exe

description	pid	process	target process
PID 1936 wrote to memory of 2544	1936	Reaper.exe	powershell.exe
PID 1936 wrote to memory of 2544	1936	Reaper.exe	powershell.exe
PID 1936 wrote to memory of 2544	1936	Reaper.exe	powershell.exe
PID 1936 wrote to memory of 2544	1936	Reaper.exe	powershell.exe
PID 1936 wrote to memory of 3024	1936	Reaper.exe	Reaper.exe
PID 1936 wrote to memory of 3024	1936	Reaper.exe	Reaper.exe
PID 1936 wrote to memory of 3024	1936	Reaper.exe	Reaper.exe
PID 1936 wrote to memory of 3024	1936	Reaper.exe	Reaper.exe
PID 1936 wrote to memory of 2572	1936	Reaper.exe	Windows Defender Smartscreen.exe
PID 1936 wrote to memory of 2572	1936	Reaper.exe	Windows Defender Smartscreen.exe
PID 1936 wrote to memory of 2572	1936	Reaper.exe	Windows Defender Smartscreen.exe
PID 1936 wrote to memory of 2572	1936	Reaper.exe	Windows Defender Smartscreen.exe
PID 1936 wrote to memory of 2520	1936	Reaper.exe	Runtime broker.exe
PID 1936 wrote to memory of 2520	1936	Reaper.exe	Runtime broker.exe
PID 1936 wrote to memory of 2520	1936	Reaper.exe	Runtime broker.exe
PID 1936 wrote to memory of 2520	1936	Reaper.exe	Runtime broker.exe
PID 2572 wrote to memory of 472	2572	Windows Defender Smartscreen.exe	Windows Defender Smartscreen.exe
PID 2572 wrote to memory of 472	2572	Windows Defender Smartscreen.exe	Windows Defender Smartscreen.exe
PID 2572 wrote to memory of 472	2572	Windows Defender Smartscreen.exe	Windows Defender Smartscreen.exe
PID 2520 wrote to memory of 1696	2520	Runtime broker.exe	powershell.exe
PID 2520 wrote to memory of 1696	2520	Runtime broker.exe	powershell.exe
PID 2520 wrote to memory of 1696	2520	Runtime broker.exe	powershell.exe
PID 2520 wrote to memory of 3064	2520	Runtime broker.exe	powershell.exe
PID 2520 wrote to memory of 3064	2520	Runtime broker.exe	powershell.exe
PID 2520 wrote to memory of 3064	2520	Runtime broker.exe	powershell.exe
PID 2520 wrote to memory of 2312	2520	Runtime broker.exe	powershell.exe
PID 2520 wrote to memory of 2312	2520	Runtime broker.exe	powershell.exe
PID 2520 wrote to memory of 2312	2520	Runtime broker.exe	powershell.exe
PID 2520 wrote to memory of 356	2520	Runtime broker.exe	powershell.exe
PID 2520 wrote to memory of 356	2520	Runtime broker.exe	powershell.exe
PID 2520 wrote to memory of 356	2520	Runtime broker.exe	powershell.exe
PID 2520 wrote to memory of 772	2520	Runtime broker.exe	schtasks.exe
PID 2520 wrote to memory of 772	2520	Runtime broker.exe	schtasks.exe
PID 2520 wrote to memory of 772	2520	Runtime broker.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Reaper\Reaper\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper\Reaper\Reaper.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1936

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAZQB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAdwBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG4AYwB1ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAbABqACMAPgA="
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2544

C:\Users\Admin\AppData\Local\Temp\Reaper.exe
"C:\Users\Admin\AppData\Local\Temp\Reaper.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3024

C:\Users\Admin\AppData\Roaming\Windows Defender Smartscreen.exe
"C:\Users\Admin\AppData\Roaming\Windows Defender Smartscreen.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2572

C:\Users\Admin\AppData\Roaming\Windows Defender Smartscreen.exe
"C:\Users\Admin\AppData\Roaming\Windows Defender Smartscreen.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:472

C:\Windows\Runtime broker.exe
"C:\Windows\Runtime broker.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2520

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Runtime broker.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime broker.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3064

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Runtime Broker.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2312

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:356

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broker" /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"
3⤵
- Creates scheduled task(s)
PID:772

C:\Windows\system32\taskeng.exe
taskeng.exe {9CD8B6D7-19FF-42AD-9FE4-5C192BDD0338} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]
1⤵
PID:2540

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FastColoredTextBox.dll
Filesize
323KB

MD5
8610f4d3cdc6cc50022feddced9fdaeb

SHA1
4b60b87fd696b02d7fce38325c7adfc9e806f650

SHA256
ac926c92ccfc3789a5ae571cc4415eb1897d500a79604d8495241c19acdf01b9

SHA512
693d1af1f89470eab659b4747fe344836affa0af8485b0c0635e2519815e5a498f4618ea08db9dcf421aac1069a04616046207ee05b9ed66c0a1c4a8f0bddd09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25722\api-ms-win-core-file-l1-2-0.dll
Filesize
13KB

MD5
c0a08223267dca75cc2b59d44d58f7bd

SHA1
bc78b24084e11a8a81976f65b2c6ac51fee0ad6d

SHA256
7f7aa25f8cf3a6ad223075158ffadecdbb2113f199e78bd96c90e59575c02533

SHA512
ce78534e2f022806093547dca1a46995ac9677bc05aaa41718a91b2b68a8efd30e0612a721c4e8e0a4e5abce558bb7a6e24a5430b74885d770a5119293b3b145

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25722\api-ms-win-core-file-l2-1-0.dll
Filesize
13KB

MD5
756d1bce2c2fc7e527e48247fd8b3ef4

SHA1
66b26444d249277bbaed0d7f487618795fe91ef4

SHA256
11a86edc5ca1d6a83c1d8709f8c3e69d9a1ff763ba85fecd49adb6647ba0e9a5

SHA512
78e5bb42ce8cff66f0e58d865faed881d1b9214ca1470276beeb0a7810d5926776e0121f5dbbd7a7f01d0b5ed0a8c0ec57112fcd6fdd45d7a19f39311a2469ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25722\api-ms-win-core-localization-l1-2-0.dll
Filesize
15KB

MD5
946b6834271543c2bf51ec8844aa5253

SHA1
69017dadf33e099da04350c2733479759d5a8cae

SHA256
9d4caef81cfa17a92d17f4f412bec75f02c3f36c746c3736374f1bc51ce17154

SHA512
b8bf7d3cac6620bb6985e374b7c676ab69401c552d15ad80e527bc791d8da73eea5c5f78cf6da6a20640ce5a63349370c30e2560a0daae8ce4382f1ad39d939c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25722\python311.dll
Filesize
1.6MB

MD5
5792adeab1e4414e0129ce7a228eb8b8

SHA1
e9f022e687b6d88d20ee96d9509f82e916b9ee8c

SHA256
7e1370058177d78a415b7ed113cc15472974440d84267fc44cdc5729535e3967

SHA512
c8298b5780a2a5eebed070ac296eda6902b0cac9fda7bb70e21f482d6693d6d2631ca1ac4be96b75ac0dd50c9ca35be5d0aca9c4586ba7e58021edccd482958b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25722\ucrtbase.dll
Filesize
987KB

MD5
a4781a4c41ada12c5420ee2b9bcbfda3

SHA1
7c394165fafd176908f38c6c5ffe065751b6a868

SHA256
0ef5cc705f0752489ea8f2a79116ca842142cee9f2bbb60ef24e2524b0066a09

SHA512
0055a67d02c59d5f63a3d7b56fe934ae56a80fc56e11819de62ae567fca74724ac6bc885bac37cd3f11a7abd243b9990f8edd674becd7b7a4f89a3325ebab104

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\70C9PXI01JSCVD3QHDUW.temp
Filesize
7KB

MD5
1b23fbe9c1d39742b3a54026cd15a259

SHA1
70c10cde148f4673f1c5cd9a35c049b69acfb1b4

SHA256
6faeb8d01f2b16fdd975f72dcba72272e1a039a6b015ea29e7ad3de8b3afa042

SHA512
76bd96d1c031288ca79494443d9aed6fd3587709e6c17c3f7477c229b9140f1f341ba3f2dabcceca93a09eb1e7482f1f5b30ba718d470b399fe69173398d5e07

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Defender Smartscreen.exe
Filesize
7.8MB

MD5
69d5b0d4d9bb2fbbf840b97c802def96

SHA1
18420ab2e4e873c38b5563d7a07517c46525a62b

SHA256
08b995c990a12834a7712dd237ea2efa85762ac21bb6752c4453381531061a95

SHA512
35c0bdc92630766f857b9770aea12398d8dcc408ff6d2f2a182acab7c3ec9ff0c1cb7bcb243c2c007d62c30e6e595effcd62b2bc046ae98752c2901cc7bacc49

Download Submit
C:\Windows\Runtime broker.exe
Filesize
80KB

MD5
4de8d786d98e91b729b922d851ffb999

SHA1
0d201186b3749418cf83f047cda5f3933cae6178

SHA256
2b2cccac0931eedf03f91f48d012f993c9577ed554fdef8cd300438510feaff5

SHA512
8b921c96dc50a54b34c0ece345c399be84174969e46877d4b105c31931953bcd8879c85c38f19ef6d10da7882e4c10a9834386f7f34a014385d9c70312bbf13c

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\Reaper.exe
Filesize
42KB

MD5
c7d407dbbe4d83fc37f2fa4f51276c76

SHA1
c6f1f596be6a99566d5862a0aa2f16b90eecb05c

SHA256
fc69c7aee21fa012c9e9de28e35c20eb9ddf473c0ac0b482faebc203dd97999c

SHA512
ed49a442172bdadd6f91db48db3003c5cb749868e9c40a90e8f6b65cdf4b6899d0132cfd70fb08a248412118353d0b4477606385244b90e0883ecdda213403c5

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI25722\api-ms-win-core-processthreads-l1-1-1.dll
Filesize
13KB

MD5
4efc47ca2d7ccd126d48ef7d1215cb3b

SHA1
1071b4606191d294851eb61b3674cd65e5b7aeca

SHA256
f898b6033ed993a1d83d095befa6f045e8823d13469000d755496ec2ff5cc50f

SHA512
c8bcb3e890d10ff5902b233bce8f1ce277e0bf9fcd1f38f7f91f0d2f6a9b3d039016914d44cd860ea8a05d50af048fb2f60e5848b3fdf056785c7cf8694e0521

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI25722\api-ms-win-core-timezone-l1-1-0.dll
Filesize
13KB

MD5
b47ebdd6d53056c8f47766952ea44d1d

SHA1
7e687c1f75205ae7154a03d7a07ad8b2e3962432

SHA256
73ceaaa0c05aa62f8629ab074eece8096f2069c772677763c0d85dbf58b06a4d

SHA512
c1517a5cf5a58be9d5cc6b35bfb66d63fafdaa18f62f74a29f1d50fb36261676c00eba6c33f4cac545908ec4d998163fc7f8d59397e5ec044a3284efb612b8b7

Download Submit
memory/356-164-0x000007FEEE050000-0x000007FEEE9ED000-memory.dmp

Filesize
9.6MB

Download
memory/356-170-0x000007FEEE050000-0x000007FEEE9ED000-memory.dmp

Filesize
9.6MB

Download
memory/356-169-0x0000000002B30000-0x0000000002BB0000-memory.dmp

Filesize
512KB

Download
memory/356-166-0x000007FEEE050000-0x000007FEEE9ED000-memory.dmp

Filesize
9.6MB

Download
memory/356-168-0x0000000002B30000-0x0000000002BB0000-memory.dmp

Filesize
512KB

Download
memory/356-165-0x0000000002B30000-0x0000000002BB0000-memory.dmp

Filesize
512KB

Download
memory/356-167-0x0000000002B30000-0x0000000002BB0000-memory.dmp

Filesize
512KB

Download
memory/472-104-0x000007FEF3D90000-0x000007FEF4379000-memory.dmp

Filesize
5.9MB

Download
memory/1696-126-0x000007FEEE9F0000-0x000007FEEF38D000-memory.dmp

Filesize
9.6MB

Download
memory/1696-122-0x000007FEEE9F0000-0x000007FEEF38D000-memory.dmp

Filesize
9.6MB

Download
memory/1696-127-0x000007FEEE9F0000-0x000007FEEF38D000-memory.dmp

Filesize
9.6MB

Download
memory/1696-125-0x0000000002984000-0x0000000002987000-memory.dmp

Filesize
12KB

Download
memory/1696-124-0x0000000002980000-0x0000000002A00000-memory.dmp

Filesize
512KB

Download
memory/1696-123-0x0000000002980000-0x0000000002A00000-memory.dmp

Filesize
512KB

Download
memory/1696-120-0x000000001B4D0000-0x000000001B7B2000-memory.dmp

Filesize
2.9MB

Download
memory/1696-121-0x0000000002890000-0x0000000002898000-memory.dmp

Filesize
32KB

Download
memory/2312-154-0x0000000002B60000-0x0000000002BE0000-memory.dmp

Filesize
512KB

Download
memory/2312-149-0x000007FEEE9F0000-0x000007FEEF38D000-memory.dmp

Filesize
9.6MB

Download
memory/2312-157-0x000007FEEE9F0000-0x000007FEEF38D000-memory.dmp

Filesize
9.6MB

Download
memory/2312-153-0x0000000002B60000-0x0000000002BE0000-memory.dmp

Filesize
512KB

Download
memory/2312-152-0x0000000002B60000-0x0000000002BE0000-memory.dmp

Filesize
512KB

Download
memory/2312-151-0x000007FEEE9F0000-0x000007FEEF38D000-memory.dmp

Filesize
9.6MB

Download
memory/2312-150-0x0000000002B60000-0x0000000002BE0000-memory.dmp

Filesize
512KB

Download
memory/2520-109-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmp

Filesize
9.9MB

Download
memory/2520-98-0x0000000000180000-0x000000000019A000-memory.dmp

Filesize
104KB

Download
memory/2520-113-0x000000001B1B0000-0x000000001B230000-memory.dmp

Filesize
512KB

Download
memory/2520-163-0x000000001B1B0000-0x000000001B230000-memory.dmp

Filesize
512KB

Download
memory/2520-136-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmp

Filesize
9.9MB

Download
memory/2544-103-0x0000000002B90000-0x0000000002BD0000-memory.dmp

Filesize
256KB

Download
memory/2544-100-0x0000000071C70000-0x000000007221B000-memory.dmp

Filesize
5.7MB

Download
memory/2544-101-0x0000000002B90000-0x0000000002BD0000-memory.dmp

Filesize
256KB

Download
memory/2544-102-0x0000000071C70000-0x000000007221B000-memory.dmp

Filesize
5.7MB

Download
memory/2544-111-0x0000000071C70000-0x000000007221B000-memory.dmp

Filesize
5.7MB

Download
memory/3024-112-0x0000000000720000-0x0000000000760000-memory.dmp

Filesize
256KB

Download
memory/3024-83-0x0000000000E60000-0x0000000000E70000-memory.dmp

Filesize
64KB

Download
memory/3024-99-0x00000000740B0000-0x000000007479E000-memory.dmp

Filesize
6.9MB

Download
memory/3024-108-0x00000000006C0000-0x0000000000718000-memory.dmp

Filesize
352KB

Download
memory/3024-110-0x0000000000720000-0x0000000000760000-memory.dmp

Filesize
256KB

Download
memory/3024-128-0x00000000740B0000-0x000000007479E000-memory.dmp

Filesize
6.9MB

Download
memory/3064-139-0x000007FEEE050000-0x000007FEEE9ED000-memory.dmp

Filesize
9.6MB

Download
memory/3064-134-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/3064-135-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/3064-137-0x000007FEEE050000-0x000007FEEE9ED000-memory.dmp

Filesize
9.6MB

Download
memory/3064-138-0x0000000002A30000-0x0000000002AB0000-memory.dmp

Filesize
512KB

Download
memory/3064-140-0x0000000002A30000-0x0000000002AB0000-memory.dmp

Filesize
512KB

Download
memory/3064-143-0x000007FEEE050000-0x000007FEEE9ED000-memory.dmp

Filesize
9.6MB

Download
memory/3064-142-0x0000000002A30000-0x0000000002AB0000-memory.dmp

Filesize
512KB

Download
memory/3064-141-0x0000000002A30000-0x0000000002AB0000-memory.dmp

Filesize
512KB

Download